Audit evidence collection techniques are the systematic methods an IT auditor uses to gather, preserve, and document information supporting audit conclusions. Evidence is the factual foundation of every audit finding — it is what allows an auditor to state, with professional confidence, whether a control is operating effectively, a risk is being managed, or a compliance requirement is being met.
Four recognized evidence types exist:
1. Physical evidence — tangible items observed directly (hardware configurations, physical access controls, printed reports)
2. Documentary evidence — records in written or digital form (policies, access logs, system-generated reports, contracts)
3. Testimonial evidence — oral or written statements obtained through interviews or surveys
4. Analytical evidence — data relationships, trend analyses, reconciliations, or reperformed calculations that reveal logical conclusions
All evidence must satisfy four quality attributes — the SCRR framework:
- Sufficiency: enough evidence to support the conclusion
- Relevance: evidence directly addresses the control or objective under review
- Reliability: evidence is trustworthy — externally produced evidence ranks above internally produced evidence in the reliability hierarchy
- Competence: evidence is valid and obtained through sound methods
Evidence collection is distinct from audit findings, audit conclusions, and audit reporting — those are downstream outputs that depend on the evidence collected upstream.
Where it stops · what it isn't
- —Audit evidence IS the raw information collected during fieldwork to support a specific audit objective — it is NOT the audit finding, opinion, or recommendation itself.
- —Evidence collection applies within the audit fieldwork phase — it does NOT encompass audit planning (risk assessment, scope definition) or audit reporting (drafting findings, issuing opinions), though it informs both.
- —Testimonial evidence IS a valid evidence type but ranks lowest in the reliability hierarchy — it does NOT substitute for corroborating documentary or analytical evidence in high-risk areas.
- —Computer-Assisted Audit Techniques (CAATs) are an evidence collection method — they are NOT a separate evidence type. CAATs produce analytical or documentary evidence.
- —Chain of custody procedures protect evidence integrity — they do NOT transform weak evidence into strong evidence.
- —Audit evidence collection is scoped to the audit objective — it is NOT investigative forensics, which operates under different legal standards and chain-of-custody requirements.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFInformation Systems Auditing Process (CISA Domain 1)
REQUIRESRisk-Based Audit Planning (defines scope and objectives that drive evidence requirements)Audit Standards Knowledge (ISACA IS Auditing Standards, IIA IPPF — define evidence quality benchmarks)
ENABLESAudit Findings and Conclusions (evidence is the foundation for defensible findings)Audit Reporting and Communication (sufficient evidence underpins the audit opinion)
RELATED TOAudit Testing and Sampling Methodology (sampling governs how evidence populations are selected)Audit Data Analytics (a specialized evidence collection and analysis method)
CONSTRAINED BYRegulatory Compliance Frameworks (SOX, HIPAA, GDPR impose mandatory evidence documentation and retention requirements)